Archive for September, 2009

Last week Google released a new product in the browser space called “Chrome Frame.” Chrome Frame aggressively address a serious pain point for Web developers. However, the overall effects of Chrome Frame are undesirable. I predict positive results will not be enduring and — to the extent it is adopted — Chrome Frame will end in growing fragmentation and loss of control for most of us, including Web developers. Here’s why.

The Chrome Frame plugin is essentially a browser-within-a-browser. Chrome Frame inserts an alternative “rendering engine” into your browser, and allows websites to determine which rendering engine you end up using. (The “Why Chrome Frame” section below has a slightly longer description of the problems developers face and of Chrome Frame, for those not so familiar with browser technology.)

Chrome Frame and Loss of Control

Once your browser has fragmented into multiple rendering engines, it’s very hard to manage information across websites. Some information will be managable from the browser you use and some information from Chrome Frame. If the Smart Location Bar in the “browser” doesn’t show the sites you’re trying to return to, then you need to find a way to open Chrome Frame and search there. Your “browser” can no longer aggregate information for you across websites. This defeats one of the most important ways in which a browser can help people manage their experience.

For many people Chrome Frame will make the Web even more unknowable and confusing. Image you download Chrome Frame. You go to a website. What rendering engine do you end up using? That depends on the website now, not on you. And if you end up at a website that makes use of the Chrome Frame, the treatment of your passwords, security settings, personalization all the other things one sets in a browser is suddenly unknown. Will sites you tag or bookmark while browsing with one rendering engine show up in the other? Because the various parts of the browser are no longer connected, actions that have one result in the browser you think you’re using won’t have the same result in the Chrome browser-within-a-browser.

Getting different results will be awkward even for those of us who understand clearly what is going on. Then imagine someone who isn’t immersed in browser technology. Imagine trying to explain to a neighbor that one day he went to a website, clicked on a button to “add Web capabilities to your browser,” ended up with a duplicate “rendering” technology that surfaces and disappears based on website controls, and this now means that the search bar, location bar and other basic UI elements will work in different ways at different times. This affects individuals directly, and Web developers indirectly. It doesn’t help Web developers if basic ways of interacting with the site be
come awkward, for example if I don’t know where my password was stored and how to access it.

Chrome Frame and Fragmentation

Google is not the only website developer that would find this idea useful. Google is providing the set of features it believes are helpful for making powerful websites. Other websites will have browser features they would find useful for their applications. Imagine having the Google browser-within-a-browser for some sites, the Facebook browser-within-a-browser for Facebook Connect sites, the Apple variant for iTunes, the mobile-carrier variant for your mobile sites — all injected into a single piece of software the user thinks of as his or her “browser.” Each browser-within-a-browser variant will have its own feature set, its own quirks, and its own security problems.

The result is a sort of browser-soup, where a given user action serves up some sort of response, but it’s not clear what the result will be: are my passwords and history stored in chrome frame? Some other variant? In what I think of as “my” browser? This makes the Web less knowable, less understandable, and certainly less manageable.

Why Chrome Frame?

Web developers and website applications face a painful and seemingly never-ending problem: wanting to implement capabilities that some browsers don’t support. The degree of pain this causes is high. Imagine trying to cook a really fine meal with an oven that can’t get above 250 degrees F. In some cases it’s just impossible, in other cases it requires rearranging ingredients, cooking time and the order of preparation. Web developers go through this regularly.

One way of fixing this is to get people to use a new browser. This is effective, but hard. Mozilla Firefox has reached some 300 million people, but hundreds of millions more continue to use the browser that came on the machine they bought, sometimes years ago. Google began offering its own browser — “Chrome” — a year or so ago, but this has yet to gain significant traction. This week Google offered a different solution — a version of Chrome repackaged as a plugin for IE.

For those not familiar with the ins-and-outs of browser architecture, you can think of a browser as having two essential parts. One part we humans don’t see — it’s the part that “speaks” computer languages and talks with Web servers. This is often called the “platform” or the “rendering engine.” The other part is the set of things that human beings see and interact with, which is often called the “front-end” or the “application layer.” The application layer includes the basic browser user interface — the window around content, the buttons, menu items, search box, etc. It also includes parts of the browser that appear based on what you are doing — the dialog boxes, the download manager, the password manager, the security warnings and the other messages.

Chrome Frame breaks this connection by inserting a separate rendering engine into your browser, and allowing websites to determine which rendering engine you end up using. If you download Chrome Frame you see the basic front end of your previous browser, but websites cause your browser to toggle back and forth between the rendering engine of Chrome and the rendering engine of the browser you selected. The application layer of your browser and the platform part of your browser are no longer connected.

At first glance this looks like it might be a useful option, offering immediate convenience to website developers in alleviating a very real pain. But a deeper look reveals significant negative repercussions.

A while back I wrote a post about Firefox that concluded with the idea that each one of us should be the center of our online lives — not a company, not an application, not a business plan. One common response has been: That sounds awesome, but how do we get there? Where do we start?

Well, no surprise — I start with the browser. The browser is the piece of the web that human beings interact with directly; it’s the tool through which people “touch” the web. I have an immense degree of control over my browser. With a website I have the degree of control the website chooses to offer. I am one of many users at a website, but the browser is mine.

These traits make the browser the logical tool for a user-centric (“you-centric” ??) world.

The awesome bar presents automated customization to the user. It aggregates information about my usage across many websites and presents the information back to me. It’s immensely helpful. One area to explore in building a user-centric web experience is other examples where this sort of automated customization would help the user. For example, perhaps knowing my own search history across many website would be helpful to me.

Another form of automated activity to explore is the presentation of customized or individual responses outward, to websites. For example, the browser could automate the current dysfunctional process of logging into and out of websites. There are unquestionably other things we do regularly that the browser can automate and run in the background. Sharing of information is becoming increasingly common. Perhaps the browser could automate response to certain types of requests. There are obviously privacy and control issues with sharing information. That’s why the browser — where I have the most control — is a logical choice.

I’ve been reading about Anthony and Lucas’ trip to their local library as part of Mozilla Service Week. Only a few people came to their “Ask a Geek” table, but Anthony describes a memorably experience nonetheless. I realized that my local library might be a good place to do this as well. It’s on the San Francisco peninsula, but not in Palo Alto or Mountain View, and has a community that isn’t entirely techie. And the library is near the local high school, and I think it fills up with high school students in the afternoon.

One of our mighty system administrators lives in the same town, is an active LUG organizer, and is the perfect person to join me. Now all I have to do is go talk to the library folks and see how welcoming they will be! Also, if anyone wants to join us in the mid-peninsula area drop me a note here.

The online world is new enough that many of us aren’t really sure how we can keep ourselves as safe as possible. In the physical world we have generations of experience about how to minimize risk (beware of dark “shortcuts” through unknown neighborhoods alone at night), and well-developed social institutions to mitigate risk (police forces, insured accounts at banks, etc.). In the online world most of us are still learning what we can do as individuals to improve our own safety. Sometimes it’s daunting.

It turns out that one important thing each of us can do is keep our software up-to-date. By doing so we get a regular flow of security improvements. Firefox has a good update rate. But it’s easy for people to forget to update software that we don’t think about very often. One type of software that’s easy to forget about is a category known as “plugins.” Plugin software works with a browser to display additional types of content. Plugins are not created by the browser developers; they are separate teams and separate software. Because of the interaction with the browser, many people don’t know or forget about updating plugins. And a crash or security problem in a plugin often feels like a problem in the browser. So it’s easy for people to think that they’ve fixed the problem by updating the browser when in fact the plugin is still a problem.

Last week Mozilla tried something new to help people help themselves. The results so far have been encouraging. We realized that a lot of people are using old version of the “Flash” plugin. We suspected that this is because people didn’t know they should update or that updating is an important safety habit. Flash is not a Mozilla product — it’s from Adobe — so updating the browser doesn’t update Flash. And nearly everyone uses Flash to view video. So we put a notice on the Firefox update page, letting people with old, less-secure versions of Flash know that Adobe offers an updated version with security fixes.

The response to this notice has been very high. The percentage of people viewing this (in the English language, US version) and then following the link to update flash is about 30%. This is a very high response rate. A typical response rate for this page is around 5%. A more detailed analysis can be found at our metrics blog.

We’re very careful about putting anything on the Firefox update page, so asking people to deal with a different product is new. The response suggests that people are receptive to clear information about how to keep themselves safer. That’s encouraging. It benefits the individual doing the updating, and also provides a system wide “public health”- like benefit as well.

Online security is a tough problem. It will be with us constantly, just like questions of physical security never go away. There are things each one of us can do to improve our setting. At Mozilla we’ll keep thinking about how we can help people figure out and do these things. And hopefully we’ll be part of a growing community of people doing this.

Jono recently posed the question “What is ‘The Open Web’ and why should you care“. When I’m talking with people who drive cars regularly, I sometimes describe the Open Web by saying it’s a place where there is a decentralized “aftermarket.” “Aftermarket” is the term used to describe replacement parts or equipment that a person uses to maintain or enhance a product. It’s a well known term in the auto industry.

For example, imagine if you bought a car and were forbidden from replacing the windshield wipers or the battery or the tires unless and until the car manufacturer allowed you to do so. Imagine if you could only use a battery that the car manufacturer provided, or approved. And imagine that the only place to buy batteries or windshield wipers or new tires was from the car dealership. In this case your ability to keep yourself safe is reduced — if the manufacturer has only poor quality tires, that’s all you can get. If you want tires for snow but the manufacturer doesn’t offer them, you’re out of luck. If the tires are wildly expensive, you’re stuck. In this setting we would also say goodbye to the variety of independent developers, stores and maintenance centers; everything would be controlled by the automobile manufacturers. Innovation would also be channeled through this same small number of manufacturers. Develop an innovative tire or better stereo system and you have to get the manufacturers to adopt it; you can’t go directly to consumers.

This ability to change components, to enhance or maintain a product the way to meet individual needs is at risk in the online world. Similarly, the ability of independent creators to try new things is at risk. Technology manufacturers use both technical and legal means to restrain this freedom. Some make it difficult technically to change a component. Others try to make it illegal. Some do both.

The Open Web embodies the legal and technical flexibility so that I can decide what combination of products best suits my needs. I may be very happy to stick completely with what the manufacturer of a piece of technology gives me, just as I might be happy to have all my automotive maintenance done by the dealer using exclusively “official” products. I may want to make only a few changes and the options the manufacturer has pre-approved are fine for me. But somewhere in my life I am very likely to want something slightly different, something attuned to me and the quirks of my life. I may need to find a technical guru to help me, but fortunately there are lots of technical communities building interesting things. The Open Web makes this possibility real, a vibrant part of online life.